adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/2af530f6-7486-4a15-aa87-248d0c0b1e9f.json

767 lines
1,011 KiB
JSON
Raw Normal View History

chg: [feed] added
2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "0",
"date": "2022-02-15",
"extends_uuid": "",
"info": "Charting TA2541's Flight",
"publish_timestamp": "1666778598",
"published": true,
"threat_level_id": "1",
"timestamp": "1666773062",
"uuid": "2af530f6-7486-4a15-aa87-248d0c0b1e9f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#440055",
"name": "ms-caro-malware:malware-type=\"RemoteAccess\""
},
{
"colour": "#4bec00",
"name": "enisa:nefarious-activity-abuse=\"remote-access-tool\""
},
{
"colour": "#008ba9",
"name": "veris:asset:variety=\"S - Remote access\""
},
{
"colour": "#00bde6",
"name": "veris:action:misuse:vector=\"Remote access\""
},
{
"colour": "#001739",
"name": "ms-caro-malware-full:malware-type=\"RemoteAccess\""
},
{
"colour": "#5f0044",
"name": "CERT-XLM:malicious-code=\"spyware-rat\""
},
{
"colour": "#004646",
"name": "type:OSINT"
},
{
"colour": "#0071c3",
"name": "osint:lifetime=\"perpetual\""
},
{
"colour": "#0087e8",
"name": "osint:certainty=\"50\""
},
{
"colour": "#ffffff",
"name": "tlp:white"
},
{
"colour": "#0088cc",
"name": "misp-galaxy:threat-actor=\"TA2541\""
},
{
"colour": "#326300",
"name": "circl:incident-classification=\"phishing\""
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Email lure requesting information on aircraft parts.",
"data": "iVBORw0KGgoAAAANSUhEUgAABA4AAAH7CAYAAABMud1NAAABQmlDQ1BJQ0MgUHJvZmlsZQAAKJFjYGASSCwoyGFhYGDIzSspCnJ3UoiIjFJgf8bAxMDJwMGgwyCbmFxc4BgQ4ANUwgCjUcG3awyMIPqyLsisi3vr331Oldx7Xis6pe+P1WdM9SiAKyW1OBlI/wHipOSCohIGBsYEIFu5vKQAxG4BskWKgI4CsmeA2OkQ9hoQOwnCPgBWExLkDGRfAbIFkjMSU4DsJ0C2ThKSeDoSG2ovCHAEO/oGh/q5E3Aq6aAktaIERDvnF1QWZaZnlCg4AkMoVcEzL1lPR8HIwMiIgQEU3hDVn8XA4cgodgohlm/FwGBxgoGBeSpCLOkFA8P2mwwMktwIMZUtDAz88QwM23oLEosS4Q5g/MZSnGZsBGHzFDEwsP74//+zLAMD+y4Ghr9F////nvv//98lQPOB5h0oBACfV2CfsbqXEQAAAFZlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAA5KGAAcAAAASAAAARKACAAQAAAABAAAEDqADAAQAAAABAAAB+wAAAABBU0NJSQAAAFNjcmVlbnNob3S986+/AAAB12lUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczpleGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyI+CiAgICAgICAgIDxleGlmOlBpeGVsWERpbWVuc2lvbj4xMDM4PC9leGlmOlBpeGVsWERpbWVuc2lvbj4KICAgICAgICAgPGV4aWY6VXNlckNvbW1lbnQ+U2NyZWVuc2hvdDwvZXhpZjpVc2VyQ29tbWVudD4KICAgICAgICAgPGV4aWY6UGl4ZWxZRGltZW5zaW9uPjUwNzwvZXhpZjpQaXhlbFlEaW1lbnNpb24+CiAgICAgIDwvcmRmOkRlc2NyaXB0aW9uPgogICA8L3JkZjpSREY+CjwveDp4bXBtZXRhPgpxn2WpAABAAElEQVR4Aey9Z5cbx7YluOG9K5T3nlX0FCl/3evb5vXMWj1rpv/qrJ6Z/vD6vfuuLCl6WyzvPQreA7N3oFAsSqREJ1FXipRAoIDMyIgdkZlx9tnnhKPJDXazCFgELAIWAYuARcAiYBGwCFgELAIWAYuARcAi8AIEnC/4zn5lEbAIWAQsAhYBi4BFwCJgEbAIWAQsAhYBi4BFwCBgiQM7ECwCFgGLgEXAImARsAhYBCwCFgGLgEXAImAReCkCljh4KTT2B4uARcAiYBGwCFgELAIWAYuARcAiYBGwCFgELHFgx4BFwCJgEbAIWAQsAhYBi4BFwCJgEbAIWAQsAi9FwP3SX+wPFgGLgEXAImARsAhYBCwCFgGLwGsh0M473n5/rYP/wXZ2OBzQq72pzb+Hdrfb+77e25i339uYt9/fV71+7ec14xUcr8dDto1X+/3XXv83rV97nLTf37ScnyQOGo2GvQG8Kbr2OIuARcAiYBGwCFgELAIWgd8NApo3V6tVlEol6PNveZMR4vF44Pf74XQ6jb2gdlcqFWs7vELHy1jVq23Mtd9f4VC4nC74/D54vV6ze3vM1ev1Vzn8d7kPKS643C4zXt3ulgmssfpbv1Y1rtRen89n3tttf5NB4OCAfelyjPpJA/C3fuN7E+DsMRYBi4BFwCJgEbAIWAQsAhaB0wjUajWk02nzlcvlOv3Tb+5z204QcRAKhQxhcnh4aAyU1zGCf3PAvGKDZOxns1kkEglzxOtgpnEm/JPJpLHT8vk89J0InNcp5xWr+pvZTXatMIrFYga3VCoFXaf67re6aZzIlhfJF4/HDXnwpm39ScXBmxZsj7MIWAQsAhYBi4BFwCJgEbAI/J4Q0ARdxokm6DJIfstGnNoqg1UGsDYZKDJeOzs7f9OG2Lsaz/J0FwoFRCIRM05eZ6zoWJE0BvdGy9ErAkev1ynnXbXlH6Ecjc9yuWzIGtVX41djt32t/iO04U3qqHZqnLWv0zcpo32MJQ7aSNh3i4BFwCJgEbAIWAQsAhYBi8BbICDjRJuMt1fx/ra9gTrmVfbXfr+mTe1st1nveqkdP+bBlSHTpLHrcLYCzRv87OTnHzvm19Tmd1UXYVUsFl95rJw+bxsrldFotsLK1RftcXd6X/v5GQLCTZi1tzZebTzb3//W3t9V+yxx8FsbGbY9FgGLgEXAImARsAhYBCwCv3oEZEDLA6rQBsUfSz4tQ+Z9bDKmZE/JgP85N7VZKoVsJotwJGyMOBnP0WgUgUDgl2+/MbyVZ0AS/3fRcuJIIqTJ8gTlq+Kq/d5X37+LVv+aymgRAyJRfk21+m3UxRIHv41+tK2wCFgELAIWAYuARcAiYBH4B0FAxo3kwwsLC1hZWcH4+Lgxnt9H9Zv1KgrZNFIFoLMrDp/H3U46/06r06g3kMlm8PjxY2xtbZk2C4OjoyNcunTpl5fZN+uoFDPY38vC29mPjiDbTWPzze1NhmpUCkjtHqAc7ERPxI1C5gj5qhMdyQS8TMx3mpdpGbjvFOLfeWEM2aiVkGfeiBLC6Ij64Xb9dnMXvI/Otmi+D9TtOS0CFgGLgEXAImARsAhYBH63CEhpsLa2ZoxoxR4Hg0GqDyomDvnHMuM36bGvlkso0UuvOPcSy6lUa4zXfnMo61XGy28s4eHcGnKVmtzkb17YS440REmxRZQsLy+bsIT9/X20P+swZbhX219kUJt2V8rP2l1qtbtO7/4bb80q8qlNPLj1AGsZYsiiXrnpDA+os77qs2d1oIKkkMLyo7t4sp5BpVzAzvoiniyso1BW+W9R1zdu5I8fKAVIG/eX7SnsKxxzUobo1R53tbcYcy8719t930S1mMb6whM83soy38aLx9Krn4NhIPWawadG0ut07zXZ/zX1P6+XXx0Mr97A197TKg5eGzJ7gEXAImARsAhYBCwCFgGLgEXgzRCQcby3t4enT5+aMAUtj3b37l1jRCtcobu722TL9/m0zGErbt2ciUZM/nAT9+7cwvJegdnRvfAEQkh2D2Jichxdxx7W15Joy5ilYVinUV4sKfs6ZfY82Zt73V+MiciR7e1to67QEoJq4/z8vAlbEIkig1SrCwwMDKCnp8cQKSerUjRrKNLAv3v7Dtudh9PlhscfNO0enxhDVyxEb/7rhxqIoGjUKlR+lFCtnzYLX9yGk29pNJay+1i4fw+LR16c/+wahom906EwhZohN8pV5R2gooGkTLnsemViR4a8tncVk35S5xd8UCLLzc1N0yejo6Po6e6Bx+t5LmRC7ckfbuPOV3/HckaZ+d2mbr5wApNXPseZbiVjfPfj5QXV/cmvTH9KPZPLI+dqrTrxkwf9yA6NagX7K3N4vLyLjunLmOyNUY2jhKckiHL7mLt1F6u1Hnz2h7OIUk3iPi0n+ZFy3/QnQ6hxmLZzg7xpOW9znCUOfgI9MUq6HF4p7kg3oOMO/bEbrjpeL5X5SuX+RB31s9hAFvbOynuFU/6udxHe7MHjPnwGRbtv1RdO3UlfcTspTxOEVzzG7vZ6CLRY9SqvvYZZ9/hkQvJ6xdi9LQIWAYuARcAi8FYIaK6gZ1Lbuy6jWhnyletgfX3dqBCGhoZw+fJls8xh+3klQ7RGz2+hUEWsfxxjfVGUjnaxsngL6UIdH149i2SAXlYahEaFwBmFkys7eDxeuJwtI1kGrTzfmm24SFi43R4SByILWnPTBg3FWrmIOmgIcfk2NycldRrX5WoTPr+PK0XQQH/D1qvNeokokWEsw1VbtfKs/TJkR0ZGcPHiRdN2M09usN2VPDK5MkL9UzjTG0YhtY
"deleted": false,
"disable_correlation": false,
"timestamp": "1645192014",
"to_ids": false,
"type": "attachment",
"uuid": "62d778fa-31d2-4fce-873d-e52d520f490c",
"value": "Screen Shot 2022-02-09 at 9.15.21 AM.png"
},
{
"category": "Payload delivery",
"comment": "Email lure requesting ambulatory flight information.",
"data": "iVBORw0KGgoAAAANSUhEUgAAArgAAAJ1CAYAAAAytoNFAAABQmlDQ1BJQ0MgUHJvZmlsZQAAKJFjYGASSCwoyGFhYGDIzSspCnJ3UoiIjFJgf8bAxMDJwMGgwyCbmFxc4BgQ4ANUwgCjUcG3awyMIPqyLsisi3vr331Oldx7Xis6pe+P1WdM9SiAKyW1OBlI/wHipOSCohIGBsYEIFu5vKQAxG4BskWKgI4CsmeA2OkQ9hoQOwnCPgBWExLkDGRfAbIFkjMSU4DsJ0C2ThKSeDoSG2ovCHAEO/oGh/q5E3Aq6aAktaIERDvnF1QWZaZnlCg4AkMoVcEzL1lPR8HIwMiIgQEU3hDVn8XA4cgodgohlm/FwGBxgoGBeSpCLOkFA8P2mwwMktwIMZUtDAz88QwM23oLEosS4Q5g/MZSnGZsBGHzFDEwsP74//+zLAMD+y4Ghr9F////nvv//98lQPOB5h0oBACfV2CfsbqXEQAAAFZlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAA5KGAAcAAAASAAAARKACAAQAAAABAAACuKADAAQAAAABAAACdQAAAABBU0NJSQAAAFNjcmVlbnNob3TEUmxiAAAB1mlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczpleGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyI+CiAgICAgICAgIDxleGlmOlBpeGVsWERpbWVuc2lvbj42OTY8L2V4aWY6UGl4ZWxYRGltZW5zaW9uPgogICAgICAgICA8ZXhpZjpVc2VyQ29tbWVudD5TY3JlZW5zaG90PC9leGlmOlVzZXJDb21tZW50PgogICAgICAgICA8ZXhpZjpQaXhlbFlEaW1lbnNpb24+NjI5PC9leGlmOlBpeGVsWURpbWVuc2lvbj4KICAgICAgPC9yZGY6RGVzY3JpcHRpb24+CiAgIDwvcmRmOlJERj4KPC94OnhtcG1ldGE+Co5EJkEAAEAASURBVHgB7L33k1xXmiV20nufWd4beEfQjtvZDc2u9h+VfpBCilCEVhG72tVMT/d0s2lhy3tfWem9T51zsxIoAAUCIMFukMxHFior8+V7937Xne9857vP0uWBC0e320Gr1b7wzuDlwAIDCwwsMLDAwAI/zQLtdhuFQgGVSgWBQAAOh+O1F9SypPNbrRasVqs512KxvPb8D+GDZrOJarViyhoKhWCz2dBoNJDPF0xd/H6/ee/lsvbrqTrLJvqta+n7+vtDr/fL9XmXvyuVKtLpFDweD6LRqGnrt/2+7FSv12nzKoLBIGRfoGv+zmZzcLvd5ufXbL+3tZXGUalUgtPpRCgUhN3u4NhqIpfLodPpGvvb7fa3vdwHc16/XiqQz+tCo15FYniM9XOaMv7yavTBmHZQkIEFBhYYWGBggfdtAQEXAcOzszOcnp4iHApjembaAL5fG1jRAp3JZHB0eAgbAcbExAQBcR6pVAqjI6MYHhnmYv1rXqZf4Nfed1caXO83Z4EX+9OveeT85pp2UOGBBQYWGFjgl24BMZrJZBLff/89Tk5OMD8/j7HxsUvZz19yXTudjmG0l5aWsLa2hoA/gHK5jI2NDQPwBfSjseivHOD+kltwUPYP3QLWD72Ag/INLDCwwMACAwv8Niwg0CcG8+nTp9jZ2YGDodTR0VETqv81WUDgVVINAduVlRUTane6nKbOx8fH8Hq9iMViv7p6/5racFCXD98CAwb3w2+jQQkHFhhY4CdaQJrGo6MjHBwcYGxsDFNTk2QEB9PfTzTre/26wG2xWIQYTYE+AV1pLMXkHjKEL41mPB5HOByGz+e7VLLQIftbq5SQyWZRqzcAqx0enx+RSARupx3Wd9HxEoS2aiUcH+xh+6yCO3duI+hz8xo/rdoCt7VaDbu7u3j8+LFha4eGhkxd9Z7qLJD77bffmv46PDyMRCJhdMuSK1yUaShnplGrIk8tZaFURgcW6izdCLG+fp8Hdup436W4sl+OmtjN3QNEpuYxnQjD8RY0mOrUatTIQJfQ7DoRDHjhdNj5XgWnR4fYP61gYXYUWV67YvXjytw4PA7bpYZUP7Co1Pr/pfbSfX6OQ/eUVEQOh+559epValV7OuqX76cyNGnzQjaNfKWGNjWsNocLfuqAY5EwbJeU++Vr/Jx/t+oVnOxt4yDTwOTcPMYTwXe+XafdQpXjqFytw+rwUibE8UYtvPpSl7aqU2teKBTh9PqpffXSEbu8Ld/5xro+7aufy/rAxfZ/uW9cdq/BDH+ZVf6C73U7bTPBWTgRSfj9dhMwEzCaLTQpErdQTO2w297ye3/Bir1wqy40cda54NiYNKFJ+u3q+cJF3vkPDdIGF4tmuwOnWxPuu03273zDv/oX2C/YJxqNJhxc5GzsF5qQ3nSYxFICQM7TsDucnMje5ltvuuqH9HmXwKmAhw8fYnl5GQsL80xKCZAhi39IhRyUhRaQ9jadTht2U/pUAUHJFKRJ1bwhZlNAd2ZmBnOzc/D6vC9IF7rtJrLJYzx4vISO1WnGfBtWhBJTuHN9Fn4morz93MN5i+OplM/hNJlHrdECcZsBXj+1sVQ3gXlJEsRSq14CWKqvwJbeF9gV0FUClkDutWvXMDk5+ULilMBGMZvEk+8fIlluEYgQzPA9TyiOK1cXMBQlSHsJJP5g2QksGgQvqbM0bPExtEGA+4Nf6H0ou2dOD/Dg2+9R947is0/uIB72Q++XSwXqqfMYGwoil82gbOtw7RojwH3xwgIvqvfOzq5JgJIjqrZWsp0+E+Mt6Yr6iFh9JSq+z0PXlROcpXOk+12/ft04U68AKX5WyqWx/P2XSLU8bA8XfP4ghm0uRMMs0V95+tS6V85nkTyrIzw8CSTe3UrtJp2s3XU8XNmGf3gBX9y/ybHj5EgiuK/msbf2FN+vHGDhzie4MjPBdePt1po3lUTyJI0DERFKHFQ7a2zo6OvVNT+o7UdGRt50Obx3gCvj1msVIv8aOwnvbzJgnUT5PgPE3lii93hCq9VAkQ1dLNfgiwwh4pf3/X57n+pbLGTpPdfg8YfowQXfoX+zszDr74SDqmZxY3pinCzDmz0hTWoV3vOY32sGhrE4OQQnJ4H3f/QAU4mZz4VyHXFOsi67lV65GANmQze6GBkdNh5+vVqiDSro2r0YjodesgEzW8t57G7twBYcwezUCJwEXz/m6LBNSwQr1UYHEYbwXnedDifWfOYM+3t7yDWsmLlyAxNR3yuMQL8MAnnNRp2TcQl51rfR5E4i7Csuj4+TXIhsCBfS99x3+vd+X7+73TaKuRR2tvYRn17ESDxMBufN9Eu7SVBxeoJcqY7x2XkE3O99WnhfVXzH6xCgELVr4dLCuLm5YRav3d09Ax76DE1vAXu/88I7FnRwOi2gdtBiNj09bZLLBGqVGT8+Pg6Xy0XwUzGOiqQLAiECggIh2mWhD0I0N8qpbbVtGCMYjPrs2N/dwcbqEqYmRuAii9vlHCJnu2uxEpyQ5eSc1iHgbHMul5Mntt9Kdt+pXR64iGlu0MLbrNdQrdk459jJWNl5f5ET3O2AAFUg7F0O1UesrZhZJdMpm1111aIukCfGWZ/ryGay7Lubpgyyjxb9Z/fTvMVyVcgkuoPDWLgyg2LqFLtHJziOc82jI8dZHDXuNNDqgI6viwwviRRyvU3aqc2ZWnUToJNz6yJQ0WtTX9atRgavS0rS7erZosm5otu1kKigI8z3NWoMi1wtI3VyiN39E7jCLSQzMwiIQaY91U5t/ui6HZZXP4IGlx0CscvLS8Ymc3NzuHfvnpFqiNWWNv
"deleted": false,
"disable_correlation": false,
"timestamp": "1645193100",
"to_ids": false,
"type": "attachment",
"uuid": "8a6753cd-78ca-47c2-bce5-28157520225a",
"value": "Screen Shot 2022-02-09 at 9.16.20 AM.png"
},
{
"category": "Payload delivery",
"comment": "PPE themed lure used by TA2541.",
"data": "iVBORw0KGgoAAAANSUhEUgAAApAAAAIYCAYAAADaVtzlAAABQmlDQ1BJQ0MgUHJvZmlsZQAAKJFjYGASSCwoyGFhYGDIzSspCnJ3UoiIjFJgf8bAxMDJwMGgwyCbmFxc4BgQ4ANUwgCjUcG3awyMIPqyLsisi3vr331Oldx7Xis6pe+P1WdM9SiAKyW1OBlI/wHipOSCohIGBsYEIFu5vKQAxG4BskWKgI4CsmeA2OkQ9hoQOwnCPgBWExLkDGRfAbIFkjMSU4DsJ0C2ThKSeDoSG2ovCHAEO/oGh/q5E3Aq6aAktaIERDvnF1QWZaZnlCg4AkMoVcEzL1lPR8HIwMiIgQEU3hDVn8XA4cgodgohlm/FwGBxgoGBeSpCLOkFA8P2mwwMktwIMZUtDAz88QwM23oLEosS4Q5g/MZSnGZsBGHzFDEwsP74//+zLAMD+y4Ghr9F////nvv//98lQPOB5h0oBACfV2CfsbqXEQAAAFZlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAA5KGAAcAAAASAAAARKACAAQAAAABAAACkKADAAQAAAABAAACGAAAAABBU0NJSQAAAFNjcmVlbnNob3QNWlg4AAAB1mlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczpleGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyI+CiAgICAgICAgIDxleGlmOlBpeGVsWERpbWVuc2lvbj42NTY8L2V4aWY6UGl4ZWxYRGltZW5zaW9uPgogICAgICAgICA8ZXhpZjpVc2VyQ29tbWVudD5TY3JlZW5zaG90PC9leGlmOlVzZXJDb21tZW50PgogICAgICAgICA8ZXhpZjpQaXhlbFlEaW1lbnNpb24+NTM2PC9leGlmOlBpeGVsWURpbWVuc2lvbj4KICAgICAgPC9yZGY6RGVzY3JpcHRpb24+CiAgIDwvcmRmOlJERj4KPC94OnhtcG1ldGE+CjQkQ/YAAEAASURBVHgB7L33k11Hmh14nvfe1CvvUfAgQYJuutVSj3ZW6zShCMXqh/1n9G9sxCp2Q1LshmI0oZF2Z9Q9GnaTTW/ggUJ575733u358tUDCoWCIwGQAPOShXp13zWZJ/PePHm+78vP0OUGvWkENAIaAY2ARkAjoBHQCGgEnhEB4zMepw/TCGgENAIaAY2ARkAjoBHQCCgEzMdx6HQ6aLfbx3frvzUCGgGNgEZAI6AR0AhoBH6hCBiNRpiMJsDQA+ARAlmr1VAul6Et27/QHqKrrRHQCMBgMOh3oO4HPyMEZMTW3mY/owb5RRbFZrPB4/HAaOgZrx8hkFarDcIyNYH8RfYPXWmNgEaACBj4X1cP2K+kL8hY8zqPNzLZkK0/6Xg5dXnzCKTg9XIxeyXd97lv0q+3nPi69X2LxaLarF/pRwik0WiA2Wx+rR/ofuX0b42ARkAjoBH4+SIgA2i9Xker1XotxxwhAzKoyo8IL41GQ/28HBL5825HweJZNznW6XQqzMRlrl6ro915813n+v3FarUqIiZ9v9lsvhZ9X8ou3PDo9vBfR7/RnzUCGgGNgEZAI/ASERCf+2q1ep9Avm7ESwZVu91+f2AVQlCpVF4iYj/PSwsJMplMihA+rYR91U1wE9ItfaBcKavfTzv3df9e+ovD4VATDvksLoPy87psMlES8tvfNIHsI6F/awQ0AhoBjcBPgoCQj9dxEzIkRODoJqRIfo7vP3rMm/RZCKAor1Jni9lyP8DicXWU40VxPrr9UjA73l+kj7wudT/eZtJ+ehmfo71Yf9YIaAQ0AhqBnxUCQjhEpXldTH0ngSfEQdRJIVoyEPc/y/7XeevXq1gs9tpH+w2/zs353GXXCuRzQ6ZP0AhoBDQCGoFXgYCQx2w2i83NTYRCIcRiMWVCe5q61+V5nfvkrKfyHBMKn1j8PrF72n2eeJHDL+VasrLJ6uqqKrvb7UYul1M+gGNjY8qc+fjr9AKMOp3eb4Oom4yAfZ660MHukNZJ0Mrj76S+uX9sLyhI9h3FQtpDMDmKi+yTn/5xT7nDK/u625VykaALR2dsx3Pj9qNKKu3Vu8BRrJ7nklJ+ucbDeHdVnR7e9zxXfbHHagL5YvHUV9MIvHAE5MX8Q19CL7ww+oIagVeEgPT7QqGApcUlrKyu4Ny5c4pEih+WbE96JsqFNAqlCpodEi6LA5GQDzae91QCdVi3VrOOcq0Jj9vFde9+nKFOfDy3trZw8+ZNhMNh5S+ZTqcxMTGBwcHB+/6TJ9WnKwEmlTxSuTLXZ+7C4nDB5/PBaXv2urQbFVTbJljou2Y1PZl8tlnvaqWKDjFzO2RFFgMDXCpodAAnfRbLpSJ9+Jz3ffgO4XroV59IHq/Pi3iPyTX61zl+/YcKwYCcVq2IZK5EZbQNK8vs9wdht5r6Sxg+dPgL/6PdpMrcQMdk4z0ZYPU04n6sAF2Wv1ktIl/rQiYcdqtZ9d1Op4l0qggn+6WT7fNEDI5d82X8+eOejJdRIn1NjYBGQCEg0YmiXIhacZL/iYZJI/AmIyAma1Ht7ty9AzGRisqVSqWQTCbV3/L94yymB2s3cfvWDSwu3MOd+QUcZIqot6joPCNg5UIWi1sHqDce9tV7xtPvHybP8P7+Pm7cuKHM1vL3ysoK8vm8qk8ykVR1EhN9n3jdP5kfOq06cjt3ce3WXdxdWMDte8vYPcigyes800YVq15IYG0/hUKNke5POalazmB5/g5Wt+Ook3jJlk/uYG03iSoJ0cbaEkokkSeVVY6V+pVKpUci0WW/1PHHvsekzROJhFKln9T+nU4L5fgabt9dIG5L2NjaQ60pkf5Sype/dZo1JA62kCpUGV3+/Dftthoo7C7i22t3kcgW0RbizDrVi3Fcv3YLB4kssSarfwGbtI24VEjbHG1XwVf2H913/HY/SoG8LxGzWxpEVhfH4eN3eIF/K6mcoJkYSn7STFKAEEYuTqkvYxOzSKvdeqjhTHQaNnFWZzypQC+jEG/4NQXj9iHGXbroms0mtvcrmjUewbZXjjaM7Gs/VduKcjE/P68GzPfffx/BYPCl9e0jVdcfNQI/OQIyaMnkaWNjQ5EFefd/99136C9kHIsNYmxsVCl4R6NC+wUvFErwDozjzMQwMitXsbSThc3uQMgBVKokaxx7rU43FTmg2ZC/O2gKwTRa4XLaSHYqSNN03qyFUOy4eioS2jy3QdOzQ73z+/d60m8ZhHd2dtQkcHJyEvF4XJFfqd/169extLREZcyP2dlZTFCRdLlcD6lKHSpZzXIBtoHTuDgdRWb1DlbWdxGN+GDsNFCucvkb8jwbI3vtVCVrlSIMvHZD6mKwsqxWNCsFqrF2KllVmLot+Fx2GEhGqo02VUkbA18Ox22CkkkcYDvNCWseGBuOwEblq1IqIFexE58QMpkUIgPDjyViQhLv3bsHr9eL4eFhYulSy/MI6RPyL/ukvs+79UmMKNJffPGFMv9funQJkUjkRBeALseQZiULa+wU5kajiHqsSgVs18soUllus71NVgdVVUYUk+xR6EOHeBhNXZitTqrVBlSKZZhsDlgtRlRrDThsZtTYd+okogbpJy6HaoMasW7zx+ogri1ei5OOVjnLfpthP4lgIOBmdZ+PGUm7VwtJbK5n4R8cQjDghb1bx8HKIjaSGYQnJhUX6TTKqLDcrA7sXBbJyrGyVSuj0eY6tgYL+4SJkxCWmcdwMGOZnWpMPVoaGWekj0pUvCji8jyJr65MfIRUipvFSc+YtOEPJpAdNlCdnVUaQwpjdbgpqTI83XS0aHKLF7Sx4xfYIM
"deleted": false,
"disable_correlation": false,
"timestamp": "1645194143",
"to_ids": false,
"type": "attachment",
"uuid": "8750e8ca-860e-4233-8124-939b41750ebb",
"value": "Screen Shot 2022-02-09 at 9.29.02 AM.png"
},
{
"category": "External analysis",
"comment": "The figure below depicts an example from a recent campaign where the PowerShell code is hosted on the paste.ee URL : https://paste[.]ee/r/01f2w/0",
"data": "iVBORw0KGgoAAAANSUhEUgAABD0AAAJwCAYAAACK4hrwAAABQmlDQ1BJQ0MgUHJvZmlsZQAAKJFjYGASSCwoyGFhYGDIzSspCnJ3UoiIjFJgf8bAxMDJwMGgwyCbmFxc4BgQ4ANUwgCjUcG3awyMIPqyLsisi3vr331Oldx7Xis6pe+P1WdM9SiAKyW1OBlI/wHipOSCohIGBsYEIFu5vKQAxG4BskWKgI4CsmeA2OkQ9hoQOwnCPgBWExLkDGRfAbIFkjMSU4DsJ0C2ThKSeDoSG2ovCHAEO/oGh/q5E3Aq6aAktaIERDvnF1QWZaZnlCg4AkMoVcEzL1lPR8HIwMiIgQEU3hDVn8XA4cgodgohlm/FwGBxgoGBeSpCLOkFA8P2mwwMktwIMZUtDAz88QwM23oLEosS4Q5g/MZSnGZsBGHzFDEwsP74//+zLAMD+y4Ghr9F////nvv//98lQPOB5h0oBACfV2CfsbqXEQAAAFZlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAA5KGAAcAAAASAAAARKACAAQAAAABAAAEPaADAAQAAAABAAACcAAAAABBU0NJSQAAAFNjcmVlbnNob3TD+LwoAAAB12lUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczpleGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyI+CiAgICAgICAgIDxleGlmOlBpeGVsWERpbWVuc2lvbj4xMDg1PC9leGlmOlBpeGVsWERpbWVuc2lvbj4KICAgICAgICAgPGV4aWY6VXNlckNvbW1lbnQ+U2NyZWVuc2hvdDwvZXhpZjpVc2VyQ29tbWVudD4KICAgICAgICAgPGV4aWY6UGl4ZWxZRGltZW5zaW9uPjYyNDwvZXhpZjpQaXhlbFlEaW1lbnNpb24+CiAgICAgIDwvcmRmOkRlc2NyaXB0aW9uPgogICA8L3JkZjpSREY+CjwveDp4bXBtZXRhPgot8WFjAABAAElEQVR4AezdaZNdt5En/FMLd3GnRO0qWrIkW953e9rhmZ6IiZl+0xE9X2g+zkT0q2diIma629E9ttu75UW2tVgrtZKixJ0s1kY++ct78xK8KlJFmiIpCSBP4QBIJBJ/4ALIPDg4M5fCDd11BDoCHYGOQEegI9AR6Ah0BDoCHYGOQEegI9AR+IQhMP/c8y98wqrUq9MR6Ah0BDoCHYGOQEegI9AR6Ah0BDoCHYGOQEdgGGb6To/eDToCHYGOQEegI9AR6Ah0BDoCHYGOQEfg04rAR/3yw8zMzA1DuxHZ0GQZ8Q7HpfjHTZc5Hb5hga6RMWVVfFPdW1HuNUTKpPkPI+jpHYGOQEegI9AR6Ah0BDoCHYGOQEegI9AR+DQh0BoSWiV+XQzGxoYZhI3Cvy7tTYgkW10XL17M+2m2c3Nzw+zs7AeMH9N0NyOcxo5gtLa2NpBHuZOyp4wgN6O86+XRjR7Xi1in7wh0BDoCHYGOQEegI9AR6Ah0BDoCHYFPHAJlSLA7oYwJ4q5Q4ptatzSi5aurwkl+ExT/kg0/9wwMJ06cGI4ePZr3ZCSPi7v77ruHgwcPDlu2bMmwPB/lrouSiTxk2b9v/7Bp86aB8SWNQSnF7fnTjR63B/deakegI9AR6Ah0BDoCHYGOQEegI9AR6AjcZgQo662rcBkIpsMtrfs2XZ4Ru5tjYCjeyikDi/vV1dXh7Nmzw9tvvz288847adjYunVrykKG8+fPp+Fh3759mYZP1Uf+j8opY3FxcTh+/HjKeM8992T5DB+303Wjx/Wg3/4erti2tI7prmivoLuewjptR6Aj0BHoCHQEOgIdgY5AR6Aj0BHoCNwKBBgGapdEGi8uhqHAvzRkXE5rZSmjRBkUyrjAd01e8WgzXec9GeqcjirvzJkzw6uvvjocO3ZsIvPFtXjNJf5t3rx5YABRdtGTz7+PwmUZofvylWN3CaPMu+++m2UevPfgTcHhr5H9rzZ6tECWIFXha4WltZ2jDVe+O9qPRk1XfafC052pjB+Ii3aUs//tCHQEOgIdgY5AR6Aj0BHoCHQEOgIdgTsAgdJrZ2e8JnIpFPeVVNYZD7jSXadFFS+v1024ep2jDBXT9NcbbvmUjBcuXBiWl5fzFZbdu3ennMpnDLHLA90t3V1Bzw29F1Z33XXX8PDDDw+HDx8e3n7n7XzFhSHklsozBfINGz0K8OJ3vWH5pvMUrzvWnxgtxpaM1qDRCj2hG0deja7N0+87Ah2BjkBHoCPQEegIdAQ6Ah2BjkBH4JYiUEaLMmqsXVxLPZUCb+eHVzXqdY31BNu+ffuwd+/eYceOHan0yyMvfsVzvXzXG9fys2tj27ZtuavC2R0MCnZX2Pnx1ltvDSsrK1n2RN8OffTSzGjnyvWWu3H6keVD/e00uf/++4c//elPw/vvv5/GmY+l0WPjlf+YU15hsNBbxvUpw4Zw3WfSmGZCd0XixxyMLn5HoCPQEegIdAQ6Ah2BjkBHoCPQEfhkI9AaGC7Frg+7KBgVuGlDRu3wYOhwTQwNNwEiZRU/98Xf7g/l2u3Bl8bYUHF2gjB8VF70H9XrLZerGaXEDhMykuP8+XPD/Px8GmemMbuc59bc3dBOjwIvRUwdfwziWL+XnqCuo+9nWjQKdwWfjBn9uVrehuT23KprHIY7Fn8sbEREfdPycUm9xnWb0EVa4SC97m9PDXqpHYGOQEegI9AR6Ah0BDoCHYGOQEegIzCFAMX8CsNC6HiU9gN3Hxj27N0zRX05SMm3i8FrMaXr4XOFrnsTdEAqJ8NGOeVu2rQprzKG8Bk8XJXmoX3WrYQrBjfZrzqvrsSOk/eODUeOvDPs3r1rcJjp7dzloZo3ZPSY4BMAshppUP/WVkfvMQHbdTVrksZyJfhNh8g8V1gUJiXd1puo5mUXHbbCjpQZIzDqQtIuJ0bq5d59+e4yq37XEegIdAQ6Ah2BjkBHoCPQEegIdAQ6AncWAqWnkorhw3W9Do+/1rWGk0vx9F24jAsMGw4LXVpaynj6db2Gw9Bw4MCBNHyUSkpfv5p+/tfKWfnt8Dhy9EgYPI7E2R47hoMhx9atm0uEIrvl/vW3XokYyn2aOgJ4AKfhI7b+qFHde2+obahqoIqrrThY3oxOUaLdVD/qMHJ89avwyOSRFY5K5yaPJCy6cbbBwTcj2pvQ74tp9zsCHYGOQEegI9AR6Ah0BDoCHYGOQEfgDkbgZuq4NgiUHu3MDGd6eL3FmRnilUW/dsbHQw89NOzdszc3ItxKeMhBhl27dqUcW7dtuZXFX7WsmRCstPirEk0nVJaJsSNYVAWXl5aHpeWlyftF8kqrBmclq0a6vLPDVqLRSbeTHSJ/vWFsWuwbDDPtcF5j8R5XvbfCmDG+CsGU2Zaj8ZXQhl1pxneJy652x1QsZOquI9AR6Ah0BDoCHYGOQEegI9AR6Ah0BO5EBErvpknSShkUOMYOX2lxzkjp5PRturTXWujbPl1b+ra01EY/AlU0ZQx9mHx2nbi8zjI/P5c2APLMzd34Xoub0S4bNnoU4JNCo2IXY4sNkIFtew3gFxcXR40R6TOzI+CBLL9GqobasmVLnnDrlNvNm2LLy5i2GmZSzh1zE6f4DishDYOG3jIff0fGjEiIqFEPin0vEWAccdlCtCl810fQw4Jrdx2BjkBHoCPQEegIdAQ6Ah8vBOph4MdL6i5tR6AjcDMQ+IBevUGm8tG9Ofd11XhSfCtcerVwxa1X1HppxWs9+qvFef2GwYNaXGd40JdnnXcSuv7tdDdu9AipWZjOnj2blwNLGC7mZufyW7yMGo
"deleted": false,
"disable_correlation": false,
"timestamp": "1645195002",
"to_ids": false,
"type": "attachment",
"uuid": "b6776413-b39b-408c-a448-18417210dc8c",
"value": "Screen Shot 2022-02-09 at 9.18.02 AM.png"
},
{
"category": "Persistence mechanism",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1645195206",
"to_ids": true,
"type": "filename",
"uuid": "fe0176be-c570-4f2b-b9ae-c7023ca7b71b",
"value": "C:\\Users[User]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\SystemFramework64Bits.vbs"
},
{
"category": "Persistence mechanism",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1645195254",
"to_ids": true,
"type": "filename",
"uuid": "4acf48c6-3ed1-4f94-bea7-1b6fe801b981",
"value": "UserInterfaceLogin.vbs"
},
{
"category": "Persistence mechanism",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1645195254",
"to_ids": true,
"type": "filename",
"uuid": "2c869f55-df5e-4fcc-bf17-62fc3863bb19",
"value": "HandlerUpdate64Bits.vbs"
},
{
"category": "Persistence mechanism",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1645195254",
"to_ids": true,
"type": "filename",
"uuid": "a133c8af-bc05-4bb2-a36e-90b4af326986",
"value": "WindowsCrashReportFix.vbs"
},
{
"category": "Persistence mechanism",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1645195254",
"to_ids": true,
"type": "filename",
"uuid": "3628809d-188b-4847-b6e0-35480e458a45",
"value": "SystemHardDrive.vbs"
},
{
"category": "External analysis",
"comment": "Scheduled Tasks",
"deleted": false,
"disable_correlation": false,
"timestamp": "1645195434",
"to_ids": false,
"type": "text",
"uuid": "e621892e-e32d-42f9-afd4-92e58d53e48c",
"value": "schtasks.exe /Create /TN \"Updates\\BQVIiVtepLtz\" /XML %TEMP%\\tmp7CF8.tmp \r\n\r\nschtasks /create /sc minute /mo 1 /tn Skype /tr \"%APPDATA%\\xubntzl.txt\""
},
{
"category": "External analysis",
"comment": "ET\u202fSignatures\u202f",
"deleted": false,
"disable_correlation": false,
"timestamp": "1645707771",
"to_ids": false,
"type": "text",
"uuid": "8ab0b8d2-636c-42b7-849b-b0e371b5abc1",
"value": "2034978 - ET POLICY Pastebin-style Service (paste .ee) in TLS SNI \r\n2034979 - ET HUNTING Powershell Request for paste .ee Page \r\n2034980 - ET MALWARE Powershell with Decimal Encoded RUNPE Downloaded \r\n2850933 - ETPRO HUNTING Double Extension VBS Download from Google Drive \r\n2850934 - ETPRO HUNTING Double Extension PIF Download from Google Drive \r\n2850936 - ETPRO HUNTING VBS Download from Google Drive"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Metadata used to generate an executive level report",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "5",
"timestamp": "1645180773",
"uuid": "e69d8cb6-b8a0-42bc-8c6c-e029f4b5ffd0",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1645180773",
"to_ids": false,
"type": "link",
"uuid": "71dbce6b-e0d5-4baa-ae4d-63c408ffbd95",
"value": "https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1645180773",
"to_ids": false,
"type": "text",
"uuid": "ca132417-e0d2-4bc2-aa21-d610314a583b",
"value": "ProofPoint's analysis of TA2541, a persistent cybercriminal actor that distributes various remote access trojans (RATs) targeting the aviation, aerospace, transportation, and defense industries, among others."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1645180773",
"to_ids": false,
"type": "text",
"uuid": "7f8396c6-e14e-4388-b8af-9a4522f0a26f",
"value": "Report"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Registry key object describing a Windows registry key with value and last-modified timestamp",
"meta-category": "file",
"name": "registry-key",
"template_uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5",
"template_version": "4",
"timestamp": "1645195323",
"uuid": "b8f20704-a074-4f20-bc8a-9f11b9097cc6",
"Attribute": [
{
"category": "Persistence mechanism",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "data",
"timestamp": "1645195323",
"to_ids": false,
"type": "text",
"uuid": "00ad07fe-b5d0-41e7-b62f-ffa9fac457a3",
"value": "C:\\Users[User]\\AppData\\Roaming\\server\\server.exe"
},
{
"category": "Persistence mechanism",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "key",
"timestamp": "1645195323",
"to_ids": true,
"type": "regkey",
"uuid": "34824001-4c58-45e1-8dde-7bbd7a66cac8",
"value": "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\svchost"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Registry key object describing a Windows registry key with value and last-modified timestamp",
"meta-category": "file",
"name": "registry-key",
"template_uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5",
"template_version": "4",
"timestamp": "1645195360",
"uuid": "9ae3bc26-f58a-4300-94ab-90458a50a139",
"Attribute": [
{
"category": "Persistence mechanism",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "data",
"timestamp": "1645195360",
"to_ids": false,
"type": "text",
"uuid": "f1a38889-c0ce-4b25-b00a-58810525c282",
"value": "%APPDATA%\\xubntzl.txt"
},
{
"category": "Persistence mechanism",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "key",
"timestamp": "1645195360",
"to_ids": true,
"type": "regkey",
"uuid": "4d62a448-1413-480b-bed0-4b05596105c0",
"value": "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\xubntzl"
}
]
},
{
"comment": "AsyncRAT C2 Domain \r\nObserved Throughout 2021 ",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1645436952",
"uuid": "5167f167-110f-4077-a9fb-241c1313b211",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1645436952",
"to_ids": true,
"type": "url",
"uuid": "6eb2c6ca-9207-47d9-8ce3-4a9f7d34ac42",
"value": "joelthomas.linkpc.net"
}
]
},
{
"comment": "AsyncRAT C2 Domain \r\nObserved in January 2022",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1645437031",
"uuid": "a7ab830c-17f5-4025-9117-7c9a00d43a2c",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1645437031",
"to_ids": true,
"type": "url",
"uuid": "0ec1d1a0-e9c4-4953-9b75-34a3c1dc5613",
"value": "rick63.publicvm.com"
}
]
},
{
"comment": "Revenge RAT C2 Domain \r\nObserved in March 2021 \r\n",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1645536153",
"uuid": "5342d9e1-7c5d-4828-a628-83921af6f5da",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1645536153",
"to_ids": true,
"type": "url",
"uuid": "c8974d5e-0e57-4b77-8d28-20f159042019",
"value": "kimjoy.ddns.net"
}
]
},
{
"comment": "AsyncRAT C2 Domain \r\nObserved in April/May 2021 \r\n",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1645536219",
"uuid": "58fa717d-e89b-46a4-af67-555b5edd2dd3",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1645536219",
"to_ids": true,
"type": "url",
"uuid": "083e66b9-0013-4941-af7f-a76ec9a2a144",
"value": "h0pe.ddns.net"
}
]
},
{
"comment": "AsyncRAT C2 Domain \r\nObserved in September 2021 \r\n",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1645536567",
"uuid": "88ad8d69-fd5c-4a63-b3ea-61e277aa6075",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1645536567",
"to_ids": true,
"type": "url",
"uuid": "b4a561a8-36b9-4796-af67-7cbaeaf255b2",
"value": "6001dc.ddns.net"
}
]
},
{
"comment": "AsyncRAT C2 Domain \r\nObserved in December 2021 \r\n",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1645542100",
"uuid": "5539b401-b3de-4a63-8408-8931221e2eef",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1645542100",
"to_ids": true,
"type": "url",
"uuid": "d03eb20b-bd58-4d3d-99da-605183461915",
"value": "bigdips0n.publicvm.com"
}
]
},
{
"comment": "AsyncRAT C2 Domain \r\nObserved in January 2022 \r\n",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1645542126",
"uuid": "628537f8-082a-4e57-a999-3ce83edf1916",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1645542126",
"to_ids": true,
"type": "url",
"uuid": "bf012e64-d747-4f95-80c4-834fd49806d4",
"value": "bodmas01.zapto.org"
}
]
},
{
"comment": "AsyncRAT C2 Domain \r\nObserved in June 2021 \r\n",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1645542149",
"uuid": "ac69b73c-cec5-4d3c-ba0f-d09d9c0f6c5a",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1645542149",
"to_ids": true,
"type": "url",
"uuid": "235b81aa-00b3-4d3f-a93c-31140741cf93",
"value": "e29rava.ddns.net"
}
]
},
{
"comment": "AsyncRAT C2 Domain \r\nObserved in July 2021 \r\n",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1645542181",
"uuid": "99e898e2-c31d-4d78-ae4f-ad89da26a73c",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1645542181",
"to_ids": true,
"type": "url",
"uuid": "c713d189-8509-4c4e-8739-1e9c4f56f6db",
"value": "akconsult.ddns.net"
}
]
},
{
"comment": "StrRAT C2 Domain \r\nObserved in January 2022 \r\n",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1645542203",
"uuid": "cc6b04fc-0b4d-49f0-aa61-2567aaec8cf5",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1645542203",
"to_ids": true,
"type": "url",
"uuid": "48583d8d-1bc4-4979-b272-99b178809912",
"value": "grace5321.publicvm.com"
}
]
},
{
"comment": "Imminent Monitor C2 Domain \r\nObserved in November 2021 \r\n",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1645542228",
"uuid": "4e311bed-a38f-4064-8de9-7eb32bebdacd",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1645542228",
"to_ids": true,
"type": "url",
"uuid": "8a67e71d-9dbb-4f3a-8c5f-3c18398de083",
"value": "grace5321.publicvm.com"
}
]
},
{
"comment": "AsyncRAT C2 Domain \r\nObserved in January 2022 \r\n",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1645542248",
"uuid": "1225baa7-e3e9-4d64-b0d0-140012fb4987",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1645542248",
"to_ids": true,
"type": "url",
"uuid": "575e5c9a-686e-4869-88d7-428d57ed41ce",
"value": "tq744.publicvm.com"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1645612354",
"uuid": "9d7ba649-2b4e-4dc0-ad58-fec05509454a",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1645612354",
"to_ids": true,
"type": "sha256",
"uuid": "2a8ba564-8213-403b-bf7e-a924c49f0af7",
"value": "67250d5e5cb42df505b278e53ae346e7573ba60a06c3daac7ec05f853100e61c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1645612354",
"to_ids": true,
"type": "filename",
"uuid": "99568b0a-23da-43a9-9bee-48e1521cbd07",
"value": "Aircrafts PN#_ALT PN#_Desc_&_Qty Details.vbs"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1645613409",
"uuid": "c36a2697-8119-46e0-b89f-01384eb2053d",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1645613409",
"to_ids": true,
"type": "sha256",
"uuid": "a0c362d3-ebc8-4d30-a213-83b7a320a8c6",
"value": "ebd7809cacae62bc94dfb8077868f53d53beb0614766213d48f4385ed09c73a6"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1645613409",
"to_ids": true,
"type": "filename",
"uuid": "50f28bc1-3d9c-4022-b2cd-f6d8c541edfb",
"value": "charters details.pdf.vbs"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1645617913",
"uuid": "8962cf89-2169-4b50-8eb5-a365e15941ba",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1645617913",
"to_ids": true,
"type": "sha256",
"uuid": "52cd6219-c7ae-48f6-b104-192bf3beeb1d",
"value": "4717ee69d28306254b1affa7efc0a50c481c3930025e75366ce93c99505ded96"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1645617913",
"to_ids": true,
"type": "filename",
"uuid": "2b0cd042-4762-4317-8d01-cd5e3822498e",
"value": "charters details.pdf.vbs"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1645619481",
"uuid": "8c5391ff-1d25-46d1-9435-77bcaf4418f6",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1645619481",
"to_ids": true,
"type": "sha256",
"uuid": "6d73cda5-243b-4f52-be7f-b1bd06fc1a13",
"value": "d793f37eb89310ddfc6d0337598c316db0eccda4d30e34143c768235594a169c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1645619481",
"to_ids": true,
"type": "filename",
"uuid": "a9bd9239-fe5b-4feb-9595-b3a65345682b",
"value": "4Pax Trip Details.pdf.vbs"
}
]
}
]
}
}
Reference in a new issue Copy permalink